* configure.ac (NEED_LIBGCRYPT_VERSION): Set to 1.11.0
* agent/pkdecrypt.c (struct ecc_params): Move constants to the top.
--
It does not make anymore sense to allow building with older Libgcrypt
versions. After all PQ key support is a major feature and for this we
need Libgcrypt.
* agent/pkdecrypt.c (composite_pgp_kem_decrypt): Care about
ML-KEM 512 and 1024.
--
Co-authored-by: Werner Koch <wk@gnupg.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Change the format
of SEXP in the protocol for symmetric cipher algorithm identifier.
--
GnuPG-bug-id: 7014
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Don't hard code
the value of FIXED_INFO. Get it from frontend.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/cvt-openpgp.c (extract_private_key): Support Kyber algorithms.
* common/openpgp-oid.c (map_gcry_pk_to_openpgp): Map KEM to Kyber.
* common/sexputil.c (get_pk_algo_from_key): Increase buffer for use
with "kyber1024".
* g10/call-agent.c (agent_get_keyinfo): Fix warning.
* g10/keygen.c (do_create_from_keygrip): Support Kyber.
(ask_algo): Ditto.
--
To test create a standard key and the use --edit-key and "addkey" with
selection 13 and use the comma delimited keygrips.
GnuPG-bug-id: 7014
* agent/command.c (cmd_pkdecrypt): Fix comparison.
* agent/agent.h (enum kemids): Rename type and strip trailing comma.
* agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Allow building
with Libgcrypt < 1.11
--
Eventually we should change the libgcrypt requirement in configure.
* agent/gpg-agent.c (parse_rereadable_options): Use make_filename_try
for opt.pinentry_program. Change definition accordingly.
* g10/gpg.c (main): Use make_filename for agent_program,
dirmngr_program, and keyboxd_program. Change definition accordingly.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-card.c (parse_arguments): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpg-wks-client.c (parse_arguments): Likewise. Do it also for
option --output.
(process_confirmation_request): Print a note for a successful sent.
--
GnuPG-bug-id: 7017
* agent/command.c (cmd_get_passphrase): Allow use in restricted mode
but ignore the cacheid.
--
The use case is symmetric encryption via the extra-socket. To avoid
that the gpg running on the server has access to the cache we set the
cache id to NULL so that the cache is not used at all.
* agent/agent.h (struct ephemeral_private_key_s): New.
(struct server_control_s): Add ephemeral_mode and ephemeral_keys.
(GENKEY_FLAG_NO_PROTECTION, GENKEY_FLAG_PRESET): New.
* agent/genkey.c (clear_ephemeral_keys): New.
(store_key): Add arg ctrl and implement ephemeral_mode. Change all
callers.
(agent_genkey): Replace args no_protection and preset by a generic new
flags arg.
* agent/findkey.c (wipe_and_fclose): New.
(agent_write_private_key): Add arg ctrl and implement ephemeral_mode.
Change all callers.
(agent_update_private_key): Ditto
(read_key_file): Ditto.
(agent_key_available): Ditto.
* agent/command-ssh.c (card_key_available): Do not update display s/n
in ephemeral mode. This is however enver triggred.
* agent/gpg-agent.c (agent_deinit_default_ctrl): Cleanup ephemeral
keys.
* agent/command.c (cmd_genkey): Use the new flags instead of separate
vars.
(cmd_readkey): Create a shadow key only in non-ephemeral_mode.
(cmd_getinfo): Add sub-command "ephemeral".
(option_handler): Add option "ephemeral".
--
The idea here that a session can be switched in an ephemeral mode
which does not store or read keys from disk but keeps them local to
the session.
GnuPG-bug-id: 6944
* agent/gpg-agent.c (main): The value of reliable_homedir_inotify
doesn't not related to nodetach, and it's only zero in the specific
condition.
* kbx/keyboxd.c (handle_connections): Remove the last argument.
(main): Remove reliable_homedir_inotify, as it's always one.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/gpg-agent.c (reliable_homedir_inotify): Remove the global.
(handle_connections): Add reliable_homedir_inotify as an arg.
Don't call gnupg_inotify_watch_delete_self when it's not reliable.
(check_others_thread): No check of reliable_homedir_inotify repeatedly
in the loop.
* kbx/keyboxd.c (reliable_homedir_inotify): Remove the global.
(handle_connections): Add reliable_homedir_inotify as an arg.
(handle_tick): No check of reliable_homedir_inotify in the loop.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/gpg-agent.c (handle_connections): Don't disable use of inotify
when it has the --disable-check-own-socket option.
--
Before the fix, it checks the homedir using the gnupg_stat function
when --disable-check-own-socket is enabled, without trying use of
inotify.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/findkey.c (read_key_file): Add optional arg r_orig_key_value
to return the old Key value. Change all callers.
(agent_write_private_key): Detect whether the Key entry was really
changed.
--
GnuPG-bug-id: 6829
* common/name-value.c (struct name_value_container): Add flag
"modified".
(nvc_modified): New.
(nvc_new): Set flag.
(_nvc_add): Set flag.
(nvc_delete): Set flag.
(nvc_set): Set flag unless value did not change.
(nve_set): Add arg PK. Change the caller.
* agent/findkey.c (agent_write_private_key): Update only if modified.
--
This helps software which uses a file system watcher to track changes
to private keys. In particular smartcard triggered changes are a
problem for such software because this may at worst trigger another
smartcard read.
GnuPG-bug-id: 6829
* agent/divert-tpm2.c (agent_write_tpm2_shadow_key): Call
agent_delete_key before agent_write_private_key. Recover
from an error.
--
Cherry-picked from master commit of:
eda3997b439e415f1bebaa3be20c8bdb43d3a1d0
Fixes-commit: a1015bf2fc07dabb1200eab5fa41f13e7bf98202
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
* agent/divert-tpm2.c (agent_write_tpm2_shadow_key): Call
agent_delete_key before agent_write_private_key. Recover
from an error.
--
Fixes-commit: a1015bf2fc07dabb1200eab5fa41f13e7bf98202
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
* agent/gpg-agent.c (handle_connections): Also check SOCK_INOTIFY_FD
when spawning check_onw_socket_thread. When removal of the socket
is detected, do same as AGENT_PROBLEM_SOCKET_TAKEOVER.
--
GnuPG-bug-id: 6692
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/cache.c (remove_from_timer_list_new): Fix cut&paste error.
TV_SEC field should not be touched.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/cache.c (struct timer_s): New.
(struct cache_item_s): Add a member filed T for timer.
(the_timer_list, the_timer_list_new): New.
(insert_to_timer_list_new, insert_to_timer_list): New.
(remove_from_timer_list, remove_from_timer_list_new): New.
(housekeeping): Remove.
(compute_expiration, update_expiration): New.
(do_expire): New.
(TIMERTICK_INTERVAL): Remove.
(agent_cache_expiration): Use timer list to manage the expiration
of cache entries.
(agent_flush_cache): Call update_expiration when needed.
(agent_put_cache): Don't call housekeeping any more, but
update_expiration for an entry in question.
(agent_get_cache): Likewise.
--
GnuPG-bug-id: 6681
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>